North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: karl and paul, expostulating
- From: Justin W. Newton
- Date: Thu Feb 20 16:58:00 1997
At 07:23 PM 2/19/97 -0800, Paul A Vixie wrote:
Wahoo, a nanog issue :)
>> Filtering by connection to the SMTP port, based on source address, very
>> definitely DOES work.
>Filtering packets based on source address makes Ciscos go way slow on
>every packet. Filtering based on destination address makes Ciscos go
>very fast on most packets and a little slower on SYN-ACKs.
If you enable flow switching it adds little overhead to the box. On a 7505
with 2 sets of full routes and another partial set of routes (and all of
the updates associated), that pushes some pretty significant traffic, I am
filtering approx 25M/sec of data with 25k long extended access list. The
total CPU load on the box is approximately 35%. Oh yeah, the box is also
the DR for area 0 of a fairly large OSPF network (approximately 3k routes).
Before flow switching was enabled we were running at 80% or so (not for
more than a few minutes before we enabled flow switching though).
>Sez you. I'd ordinarily expect you to love the idea of "if you don't play
>by my rules I will start my own Internet without you on it."
Go ahead and do so, but not with public resources.
>And, again, wrong. I want spammers to spend 75 seconds of TCP PCB time on
>By blackholing SYN-ACKs and not sending them ICMPs, they lose capacity that
>they could otherwise spend spamming other people. I call this "fighting
Is having them time out on DNS requests so that their entire system runs
slower fighting dirty as well?
>I operate a cooperative resource. I will not have it used against me.
What kind of a port adapter do you need so as not to have to filter the
traffic to the root name server?
Erol's Internet Services
- - - - - - - - - - - - - - - - -